safety codes council
TRANSCRIPT
Attachment A
Safety Codes Council
Enterprise Risk Management Framework
December 01, 2019
Version 1.0
Safety Codes Council Confidential
Enterprise Risk Management Framework i
Enterprise Risk Management Framework 1
Established by the Government of Alberta in 1993, the Safety Codes Council (“the Council”) is responsible to
the Minister of Municipal Affairs to administer portions of the safety codes system including:
The Board of Directors (“Board”) and Executive Committee (“EC”) recognize that risk management is an
important part of the Council’s annual business planning and long-term strategic planning process. The Council
defines risk as the effect of uncertainty on objectives. All risks with the potential to significantly impact the
Council or the achievement of the strategic plan are considered enterprise risks. The purpose of this document
is to outline the Program for identifying and managing the enterprise risks, although the approach and tools
may also be applied to assess risks related to any plans, programs, services, divisions, or new initiatives.
The Council’s Enterprise Risk Management (“ERM”) Framework and overall ERM Program are based upon the
International Organization for Standardization (“ISO”) 31000:2018 Risk Management – Principles and
Guidelines and the supporting Guide 73 Risk Management – Vocabulary (collectively referred to as “the
Standard”). ERM is the coordination of activities to direct the Council and control risk thereby creating and
protecting value, improving performance, encouraging innovation, and supporting the achievement of goals.
ERM is more than an exercise in risk avoidance and helps to identify priorities. It is as much about identifying
opportunities as avoiding or mitigating losses.
An effective ERM Program provides the following benefits:
Enterprise Risk Management Framework 2
Appendix A highlights some key definitions which will help in providing a better understanding of the terms
used throughout this ERM Framework.
The ERM oversight responsibility lies with the Board, which has delegated this responsibility to the Audit & Risk
Committee. Ultimately, the President and Chief Executive Officer (“CEO”) owns all risks and is responsible for
the effective management of risk for the Council as a whole. The Director, Corporate Strategy and
Communications is tasked with driving ERM implementation, including the integration and coordination
thereof, and EC is responsible for managing the risks.
Every employee of the Council is impacted in some way, by risks, so every employee has an active role in being
aware of risk and taking part in the risk management process. This involves understanding and applying the
ERM Framework as well as identifying, analyzing, and managing risks.
Every employee within the Council has responsibility for day-to-day management of risks, with some having
more responsibilities than others. The detailed ERM roles and responsibilities are outlined in Appendix B.
Enterprise Risk Management Framework 3
This ERM Framework has been developed to direct the risk management process for the Council, which is the
identification and assessment of risks that may prevent the Council from achieving its strategic goals. The risk
management process described herein is a structured approach to be integrated into broader management
practices of the Council.
The typical process shown below and contained within this Framework is extracted from the Standard and can
be applied to strategic goals, divisions, projects, or activities.
The sections below provide more detail on the steps outlined in Figure 2.
Enterprise Risk Management Framework 4
The risk management process applies equally to risks that arise at an enterprise level, at an operational or day-
to-day divisional level, or for new projects or activities. When embarking upon a risk assessment initiative, it is
therefore important to have a clear understanding of the objectives / goals of the Council (or plans, programs,
services, divisions, or new initiatives) for which the risk assessment is being completed. These objectives / goals
should be clearly articulated and validated with the respective stakeholders prior to the initiation of the risk
assessment initiative.
For the remainder of this document the steps will only reference strategic goals, but they remain applicable to
the plan, program, service, division, or new initiative being assessed (should the Council choose to apply the
risk management process at these levels).
Enterprise Risk Management Framework 5
This step requires the identification of risks which arise not only from the external
environment, but also from internal sources. While identifying risks, also consider the causes
and sources of the risk as well as their potential consequences to the Council. It is important to consider the full
range of risks, including those risks associated with not pursuing an opportunity. The risk universe (included in
Appendix C) provides categories of risks to assist the Council in identifying those critical to the Council. This list
is not meant to be exhaustive nor in exact alignment with how the Council conducts its business; rather, it is
intended to be a thought starter in the identification process.
Risks may be identified through the following activities:
Enterprise Risk Management Framework 6
During this step, the levels of inherent and residual risk are determined by analyzing the
likelihood (frequency or probability) and its consequence (magnitude of the impact), using the risk rating
criteria, included in Appendix E.
Inherent risk is the risk before considering existing controls / mitigation strategies that are currently in place.
Residual risk is the risk remaining after controls / mitigation strategies have been put in place to manage the
inherent risk.
Likelihood and consequence should be viewed both in the absence of existing controls (inherent risk), as well
as in the context of existing controls which may detect or prevent undesirable risks and events. This serves
either to demonstrate the importance of existing controls/strategies and justify their continuation, or to
identify those controls which are no longer necessary or cost-effective. This analysis also identifies the
significance of the risk exposure should the existing controls/strategies fail.
To evaluate the level of residual risk, the Council must identify those existing controls that have been
implemented to mitigate or manage the risk under consideration. It is important to ensure only existing (not
planned) controls are identified to provide an accurate reflection of the Council’s current risk exposure.
Enterprise Risk Management Framework 7
To understand the relative priority of each risk, an overall inherent and residual risk score
must be calculated and assessed against pre-established criteria (i.e. the Risk Matrix in
Appendix F). The risk score is determined by multiplying the ratings for likelihood and consequence separately
for inherent and then residual risk. Once the overall risk scores have been determined, the inherent and
residual risk scores are compared against the Risk Matrix to determine the overall risk rating (i.e. extreme,
high, moderate, or low).
The Risk Matrix reflects the Council’s risk appetite which is demonstrated by the coloring of each of the cells in
the Matrix. Essentially, any high or extreme level risks (orange or red) are outside of the Council’s risk appetite
and require the selection of one or more risk treatment strategies and identification and development of a
specific risk mitigation plan(s) on a timely basis. If the level of risk established is moderate or low (i.e. yellow or
green risks, then the risk may be tolerable and additional risk management plans are not required).
At this point, the Council should also review and refine the risk scores to not only ensure they are appropriate,
but to also ensure the prioritization of risks relative to one another aligns with EC expectations. Adjustments to
risk scores should be made to more accurately reflect the prioritization of the risks. This final residual risk rating
is then used in the following step (i.e. Risk Treatment) to determine the appropriate risk treatment strategy to
manage the risk to an acceptable level.
Enterprise Risk Management Framework 8
As a result of completing the previous steps, risks have now been prioritized and risks outside
of the Council’s risk appetite have been determined. Management is now responsible for
deciding how it will treat the risks that are in excess of its risk appetite. For risks with a
residual rating that is within the Council’s risk appetite, no further action is required. It is not the intent to
minimize, avoid, or remove all risks that are identified; rather that the Council understands the significant risks
(those outside of risk appetite) that could adversely impact the achievement strategic goals and, where
appropriate, establish plans to address them. In addition, the Council should assess whether opportunities exist
to exploit risks in support of achieving of its strategic objectives.
Various risk treatment strategies (or a combination thereof) are available for a given risk. Risk treatment
strategies are not mutually exclusive (i.e. they can be combined) or appropriate in all circumstances. There are
seven risk treatment strategies that can broadly be divided into the following four broad categories:
Selecting the most appropriate risk treatment strategy involves balancing the costs and efforts of
implementation against the benefits derived, with regards to legal, regulatory, and other requirements such as
social responsibility, stakeholder expectations, and the degree of control over each risk. More specifically, risk
treatment decisions should consider the likelihood and consequence of the risk in determining the need for
further treatment. For example, although a risk may have an extreme consequence, the potentially excessive
cost of implementing a risk treatment strategy may not be justifiable given its low likelihood. Accordingly, the
choice may be made to accept the risk, as opposed to taking further action to reduce or share it. In addition,
the Council should also recognize that implementing a specific risk treatment strategy may reduce the
likelihood or consequence of more than one risk, which may impact the cost-benefit analysis.
For all risk treatment strategies other than “accepting the risk”, a risk mitigation plan should be developed to
implement to the risk treatment strategy. Developing risk mitigation plans includes:
Enterprise Risk Management Framework 9
Enterprise Risk Management Framework 10
Once the ERM Program is implemented, it is important to monitor and review the
effectiveness of the Council’s ERM Program over a period of time. A well-crafted ERM
Program is only as effective as the dedication of the Council’s employees who adhere to the ERM principles and
incorporate them into their daily decision-making processes. Monitoring and review mechanisms help to:
Independent risk management evaluations are periodic reviews (typically every two to three years) of the
effectiveness of the Council’s ERM Program conducted by an independent party. Independent risk
management evaluations provide the Council with an opportunity to gain an objective perspective of the
effectiveness and maturity of the Council’s ERM Program.
The Council should continually monitor risks and the effectiveness of the plans, strategies, processes, and
management systems that have been established to manage risks and guide the implementation of risk
treatment strategies. To assess the effectiveness of the ERM Program, the Council should consider annually
whether risks are effectively identified and assessed and regularly monitored and reviewed thereby managing
residual risk within the risk appetite of the Council. The Council should also ensure new and emerging risks are
being considered and, where appropriate, integrated within the strategic risk register. Functions and processes
change, as can the strategic goals of the Council. Accordingly, risks should be regularly re-examined to ensure
the risks and the ways in which they are managed remain valid.
Ongoing monitoring and review are essential for managing risk and are the actions built into the normal
operating activities of the Council and are performed by risk owners considering implications of information
they receive. The presence of regular performance information or Key Risk Indicators (“KRIs”) can assist in
identifying likely trends, trouble spots and other changes which have arisen. The process of monitoring and
review ensures that risk management strategies continue to be effective and a vital part of the Council
business processes, while instilling a culture of continuous improvement.
Enterprise Risk Management Framework 11
The risk management process and its outcomes should be documented and reported
through appropriate mechanisms. Recording and reporting aims to:
Factors to consider for reporting include:
Risk reporting is essential to ensure that key stakeholders are kept abreast of the significant risks and the
actions resulting from risk management activities. In doing so, management and employees are better able to
make informed decisions relative to risks and better support the achievement of the Council’s objectives. The
risk reporting requirements for the Council are outlined in Appendix G.
Enterprise Risk Management Framework 12
Effective communication and consultation are essential to ensure that those responsible for
implementing risk management, and those with a vested interest, understand the basis upon which decisions
are made and the reasons why particular risk treatment options are selected. Communication seeks to
promote awareness and understanding of risk, whereas consultation involves obtaining feedback and
information to support decision-making. Close coordination between communication and consultation should
facilitate factual, timely, relevant, accurate, and understandable exchange of risk-related information.
Continuous communication and consultation with internal and external stakeholders during all stages of the
risk management process is pertinent, particularly when risk treatment strategies and risk management plans
are first being developed and when significant decisions need to be made. Risk management is enhanced
through effective communication and consultation when all parties understand each other’s perspectives and,
where appropriate, are actively involved in decision making.
Communication and consultation aim to:
Enterprise Risk Management Framework 13
Consequence Result or effect of a risk. The consequence can be certain or uncertain and can have positive or negative direct or indirect effects on the Council’s goals.
Control A measure that is modifying risk. Controls include any process, policy, device, practice, or actions which modify risk.
Cost Benefit Analysis
Cost benefit analysis is a systematic approach to estimating the strengths and weaknesses of alternatives that satisfy transactions, activities, or functional requirements for a business. In the context of ERM, it entails analyzing the costs involved in implementing additional risk management activities versus the additional benefit derived by implementing the risk management activities.
Divisions The Council’s group or functional units overseen by senior manager level staff.
Enterprise Risk Management
Coordinated activities to direct and control the Council regarding risk to create and protect value, improve performance, encourage innovation, and support achievement of goals.
ERM Framework A set of components that provide the foundations and organizational arrangements for the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording, and reporting risk throughout the Council.
ERM Program ERM Program describes how the Council intends to manage risk. Typically, the Program includes the ERM Policy, ERM Framework, and processes. It describes the management components, the approach, and the resources that are be used to manage risk, including procedures, practices, responsibilities, and activities.
Governance Processes by which an organization is directed, controlled, and held to account. It encompasses authority, accountability, stewardship, leadership, direction, and control exercised by the Council.
Inherent Risk The risk to the Council in the absence of any actions taken to alter either the risk’s frequency of occurrence and / or consequence.
Key Risk Indicator
A Key Risk Indicator, also known as a KRI, is an “early warning” indicator of a changing and emerging risks and should be aligned with the strategic priorities and key performance indicators (“KPIs”) of the Council as set out in its strategic plan. In certain instances, a KRI can be the same as an existing KPI. KRIs help to identify potential risks that may impede the success of the Council and/or harm the continuity of operations.
Likelihood The probability that the risk will occur within a fixed timeframe. Likelihood is usually expressed in terms of probability or frequency.
Residual Risk The remaining risk after actions have been taken to alter the risk’s frequency of occurrence and / or consequence.
Risk Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected, either positive or negative.
Risk Analysis The process to comprehend the nature of risk and to determine the level of risk. Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
Risk Appetite The amount and type of risk that the Council is willing to pursue or retain.
Risk Assessment The overall process of risk identification, risk analysis and risk evaluation.
Risk Context Risk context provides background information related to the risk to assist in understanding the nature, sources and causes of the risk.
Risk Evaluation The process of comparing the results of risk analysis with risk criteria to determine whether the risk and / or its magnitude is acceptable or tolerable. Risk evaluation assists in the decision about risk treatment.
Risk Identification
The process of finding, recognizing, and describing risks. Risk identification involves the identification of risk sources, events, their causes, and their potential consequences.
Enterprise Risk Management Framework 14
Risk Management
See Enterprise Risk Management.
Risk Management Process
The systematic application of policies, procedures, and practices to the activities of communicating and consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and reporting risk.
Risk Owner The person with the accountability and authority to manage a risk.
Risk Tolerance The level of variation around key performance indicators (“KPIs”) and KRIs that the Council is willing to accept in the pursuit of strategic goals and the management of related specific risks. In defining risk tolerance, KPIs and KRIs should be in place for strategic goals and risks.
Risk Treatment Strategy
The process to modify risk. This involves the selection and implementation of appropriate options for dealing with risk, which may include: ● ● ● ●
Stakeholders Parties that are affected by the Council such as the Municipal, Provincial, or Federal government, employees, regulators, customers, suppliers etc.
Strategic Risk Strategic risks are those risks that could prevent the Council from achieving its strategic objectives.
Turnover Turnover is the act of replacing an employee with a new employee. Turnover rate is the percentage of employees in a workforce that leave during a certain period of time.
Enterprise Risk Management Framework 15
Specific roles and responsibilities for each of the key roles identified in Section 3 Roles and Responsibilities are
provided in the table below:
Stakeholder Roles and Responsibilities
Board of Directors Role: The Board provides oversight regarding ERM including direction, guidance, and monitoring. The Board may delegate the responsibilities outlined below to the Audit & Risk Committee. Responsibilities: ● ●
●
●
●
●
●
● Audit & Risk Committee
Role: The Audit & Risk Committee provides oversight of the ERM Program (when delegated to do so by the Board). Responsibilities: ●
●
●
●
●
●
●
●
●
● ●
Enterprise Risk Management Framework 16
Stakeholder Roles and Responsibilities
President & Chief Executive Officer
Role: The President and CEO is directly accountable to the Board for the management of all risks and the implementation of the ERM Program. The President and CEO may delegate the responsibilities outlined below: Responsibilities: ●
●
●
●
●
●
● ●
Director, Corporate Strategy and Communications
Role: The Director, Corporate Strategy and Communications is the ERM sponsor and responsible for implementing, integrating, and facilitating the ERM program. Responsibilities: ●
●
●
●
●
●
●
●
●
●
● ●
Enterprise Risk Management Framework 17
Stakeholder Roles and Responsibilities
●
●
●
Executive Committee
Role: The EC supports the implementation of the ERM Program and manages risks from an enterprise-wide perspective. Responsibilities: ●
●
●
●
●
Risk Owner Role: Responsible for the day-to-day management of the risks assigned to the risk owner. Responsibilities: ●
●
Safety Codes Council Employees
Role: Responsible for the day-to-day management of the risks. Responsibilities: ●
●
Enterprise Risk Management Framework 18
Enterprise Risk Management Framework 19
Included below is a sample summarized risk register template, which includes example risk information to
illustrate the risk register template. The risk register is contained in a separate MS Excel document.
Risk Name Risk Statement Inherent
Risk Score
Existing Controls Residual
Risk Score
Treatment Strategy
Recruitment & Retention
Risk that the Council is unable to recruit and retain sufficient, qualified staff.
20.0
Performance management process is in place
Employee engagement survey conducted annually
9.0 Reduce
Enterprise Risk Management Framework 20
Enterprise Risk Management Framework 21
Enterprise Risk Management Framework 22
Enterprise Risk Management Framework 23
The table below outlines the reporting requirements, in terms of the type of information for each stakeholder,
who delivers / presents the information, the frequency, and the forum for discussion.
Stakeholders Type of Risk Management
Information Reporting
Responsibility Timing
Format of Report
Forum for Discussion
Board of Directors
Analysis of top 10 risks over a three to five-year period
CEO Annually Dashboard reporting
Board Meeting
Summary of extreme and high risks, with key risk indicator analysis and
trending.
CEO Annually Dashboard reporting
Board Meeting
Review of risk register CEO Annually Dashboard reporting
Board Meeting
Audit & Risk Committee
Analysis of top 10 risks over a three to five-year period
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
Audit & Risk Committee
Meeting
Summary of extreme and high risks, with key risk indicator analysis and
trending.
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
Audit & Risk Committee
Meeting
Summary of extreme and high risks with updates on
risk treatment implementation progress.
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
Audit & Risk Committee
Meeting
Summary of new risks
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
Audit & Risk Committee
Meeting
EC
Analysis of top 10 risks over a three to five-year period
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
EC Meeting
Summary of extreme and high risks, with KRI analysis
and trending.
Director Corporate Strategy &
Communications
Quarterly
Dashboard reporting
and prioritized
risk register
EC Meeting
Summary of extreme and high risks with updates on
risk treatment implementation progress.
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
EC Meeting
Summary of new risks
Director Corporate Strategy &
Communications
Quarterly Dashboard reporting
EC Meeting
Enterprise Risk Management Framework 24
Contact:
Erin Stroud
Director Corporate Strategy & Communications
Phone: 780.392.1366
Email: [email protected]